You may recall I pointed out the very core of IT Asset Management tool is the Asset Database, and towards end of the year 1999 how the asset data was used to identify any Y2K risks. This blog is about how 10 years later in the year of 2009 the asset data could be used to identify security issues in your IT infrastructure. (Note. Whether I am the first to write about security management utilizing the asset inventory database is not as important, as the fact that while most businesses have some form of IT Asset Management, the asset data is not effectively utilized in such a way to improve the value of IT.)

 

Let us start with the minimum security measure – security patching to the operating system and applications. And do not under estimate the importance of managing patches in a corporate environment, system vulnerability is one of the main root cause of security breaches. Whether it is interruption to the business, or data theft that ultimately results in lost profit or even bankruptcy, security breaches are utmost priority in the corporate security management.   It is a known fact that when vulnerability is discovered and publicly known, attacks against the vulnerabilities are appearing sooner and sooner. The term “zero-day attack” was born as threats come before a patch is available, or worse, before the manufacturer becomes aware of the vulnerability. By analyzing the software inventory data in your IT Asset Database, you should be able to classify each application into one of the following states:

a)     Latest version/patch in use (green)

b)    Patch available but not yet applied (yellow)

c)     Known vulnerability but patch not yet available (red)

d)    Software no longer supported by manufacturer (red)**
** When a software is no longer supported, it means the manufacturer no longer commits to provide software patches should a vulnerability is reported. Many enterprises have corporate security policy that prohibits the use of software that is not supported. Do not be mistaken about supported software does not have vulnerabilities, but as it is supported the manufacturer has the commitment to provide a patch or an upgrade or a workaround to alleviate the risks. A good example is Microsoft’s Windows XP operating system has ended its “mainstream support” and onto “extended support”, which is scheduled to end around the year 2014. And this means enterprises will be migrating onto the next operating system once the next SOE (standard operating environment) is designed and tested for compatibilities with business applications.